Analysis
-
max time kernel
101s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
07-10-2023 12:24
Static task
static1
Behavioral task
behavioral1
Sample
446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe
Resource
win10v2004-20230915-en
General
-
Target
446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe
-
Size
1.4MB
-
MD5
98a6c4e1066c11a81d132dda967a71ba
-
SHA1
cb66e5d628590b3d6a11c27758a07abff4ce9103
-
SHA256
446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a
-
SHA512
a9207d14a392a22f585fb130aaf3ec258f47ab4c5e8d14a02134921964e007c84eee2c4041382dfeed7e130ab1f0ce20be4d57d4199607afa54f9cb5259c59de
-
SSDEEP
12288:07gKNkhm/JuyXnPB+h8WHUXI7vgbrWVQhTCYHvRktx/aICF9flefuKaO0VQ/:07zNkhm5PBXE743TvRk6NwG
Malware Config
Signatures
-
Executes dropped EXE 41 IoCs
pid Process 472 Process not Found 2212 alg.exe 2580 aspnet_state.exe 2632 mscorsvw.exe 2932 mscorsvw.exe 3036 mscorsvw.exe 484 mscorsvw.exe 2864 dllhost.exe 616 ehRecvr.exe 956 ehsched.exe 1080 elevation_service.exe 824 mscorsvw.exe 1804 IEEtwCollector.exe 2016 GROOVE.EXE 3024 maintenanceservice.exe 2188 msdtc.exe 1992 msiexec.exe 1940 mscorsvw.exe 2964 OSE.EXE 2416 OSPPSVC.EXE 1664 perfhost.exe 1756 locator.exe 1488 snmptrap.exe 1860 vds.exe 2584 vssvc.exe 1040 wbengine.exe 868 WmiApSrv.exe 2292 wmpnetwk.exe 2392 SearchIndexer.exe 852 mscorsvw.exe 2968 mscorsvw.exe 1808 mscorsvw.exe 2604 mscorsvw.exe 2316 mscorsvw.exe 2592 mscorsvw.exe 1968 mscorsvw.exe 2412 mscorsvw.exe 1816 mscorsvw.exe 3040 mscorsvw.exe 1972 mscorsvw.exe 1928 mscorsvw.exe -
Loads dropped DLL 15 IoCs
pid Process 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 1992 msiexec.exe 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 756 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\snmptrap.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\vssvc.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\fxssvc.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat GROOVE.EXE File opened for modification C:\Windows\SysWow64\perfhost.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\IEEtwCollector.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\System32\msdtc.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\msiexec.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\locator.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\dllhost.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3e72d012bda5b981.bin aspnet_state.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\vds.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\system32\wbengine.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\System32\alg.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{FE707B72-2DAE-4A20-A115-8E06293BEA98}\chrome_installer.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\ehome\ehsched.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\ehome\ehRecvr.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{79DB0710-A14E-463A-8E20-2D6BFE9C0FCF}.crmlog dllhost.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{79DB0710-A14E-463A-8E20-2D6BFE9C0FCF}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe -
Modifies data under HKEY_USERS 54 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings GROOVE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit ehRecvr.exe Key created \REGISTRY\USER\.DEFAULT\Software ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform OSPPSVC.EXE Key created \REGISTRY\USER\.DEFAULT\Software wmpnetwk.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" ehRec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 OSPPSVC.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{63F96F5D-24BB-4998-AD1F-B594763A33B7} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie ehRecvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" ehRec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" ehRec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ wmpnetwk.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" ehRec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{63F96F5D-24BB-4998-AD1F-B594763A33B7} wmpnetwk.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1548 ehRec.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe Token: SeShutdownPrivilege 3036 mscorsvw.exe Token: SeShutdownPrivilege 484 mscorsvw.exe Token: SeShutdownPrivilege 3036 mscorsvw.exe Token: SeShutdownPrivilege 484 mscorsvw.exe Token: SeShutdownPrivilege 484 mscorsvw.exe Token: SeShutdownPrivilege 484 mscorsvw.exe Token: SeShutdownPrivilege 3036 mscorsvw.exe Token: SeShutdownPrivilege 3036 mscorsvw.exe Token: 33 1404 EhTray.exe Token: SeIncBasePriorityPrivilege 1404 EhTray.exe Token: SeDebugPrivilege 1548 ehRec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeSecurityPrivilege 1992 msiexec.exe Token: SeBackupPrivilege 2584 vssvc.exe Token: SeRestorePrivilege 2584 vssvc.exe Token: SeAuditPrivilege 2584 vssvc.exe Token: SeBackupPrivilege 1040 wbengine.exe Token: SeRestorePrivilege 1040 wbengine.exe Token: SeSecurityPrivilege 1040 wbengine.exe Token: 33 1404 EhTray.exe Token: SeIncBasePriorityPrivilege 1404 EhTray.exe Token: SeShutdownPrivilege 484 mscorsvw.exe Token: 33 2292 wmpnetwk.exe Token: SeIncBasePriorityPrivilege 2292 wmpnetwk.exe Token: SeManageVolumePrivilege 2392 SearchIndexer.exe Token: 33 2392 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2392 SearchIndexer.exe Token: SeDebugPrivilege 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe Token: SeDebugPrivilege 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe Token: SeDebugPrivilege 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe Token: SeDebugPrivilege 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe Token: SeDebugPrivilege 2160 446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1404 EhTray.exe 1404 EhTray.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1404 EhTray.exe 1404 EhTray.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1564 SearchProtocolHost.exe 1564 SearchProtocolHost.exe 1564 SearchProtocolHost.exe 1564 SearchProtocolHost.exe 1564 SearchProtocolHost.exe 1580 SearchProtocolHost.exe 1580 SearchProtocolHost.exe 1580 SearchProtocolHost.exe 1580 SearchProtocolHost.exe 1580 SearchProtocolHost.exe 1580 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 484 wrote to memory of 824 484 mscorsvw.exe 39 PID 484 wrote to memory of 824 484 mscorsvw.exe 39 PID 484 wrote to memory of 824 484 mscorsvw.exe 39 PID 484 wrote to memory of 1940 484 mscorsvw.exe 46 PID 484 wrote to memory of 1940 484 mscorsvw.exe 46 PID 484 wrote to memory of 1940 484 mscorsvw.exe 46 PID 3036 wrote to memory of 852 3036 mscorsvw.exe 60 PID 3036 wrote to memory of 852 3036 mscorsvw.exe 60 PID 3036 wrote to memory of 852 3036 mscorsvw.exe 60 PID 3036 wrote to memory of 852 3036 mscorsvw.exe 60 PID 2392 wrote to memory of 1564 2392 SearchIndexer.exe 61 PID 2392 wrote to memory of 1564 2392 SearchIndexer.exe 61 PID 2392 wrote to memory of 1564 2392 SearchIndexer.exe 61 PID 2392 wrote to memory of 2980 2392 SearchIndexer.exe 62 PID 2392 wrote to memory of 2980 2392 SearchIndexer.exe 62 PID 2392 wrote to memory of 2980 2392 SearchIndexer.exe 62 PID 3036 wrote to memory of 2968 3036 mscorsvw.exe 63 PID 3036 wrote to memory of 2968 3036 mscorsvw.exe 63 PID 3036 wrote to memory of 2968 3036 mscorsvw.exe 63 PID 3036 wrote to memory of 2968 3036 mscorsvw.exe 63 PID 3036 wrote to memory of 1808 3036 mscorsvw.exe 64 PID 3036 wrote to memory of 1808 3036 mscorsvw.exe 64 PID 3036 wrote to memory of 1808 3036 mscorsvw.exe 64 PID 3036 wrote to memory of 1808 3036 mscorsvw.exe 64 PID 3036 wrote to memory of 2604 3036 mscorsvw.exe 65 PID 3036 wrote to memory of 2604 3036 mscorsvw.exe 65 PID 3036 wrote to memory of 2604 3036 mscorsvw.exe 65 PID 3036 wrote to memory of 2604 3036 mscorsvw.exe 65 PID 2392 wrote to memory of 1580 2392 SearchIndexer.exe 66 PID 2392 wrote to memory of 1580 2392 SearchIndexer.exe 66 PID 2392 wrote to memory of 1580 2392 SearchIndexer.exe 66 PID 3036 wrote to memory of 2316 3036 mscorsvw.exe 67 PID 3036 wrote to memory of 2316 3036 mscorsvw.exe 67 PID 3036 wrote to memory of 2316 3036 mscorsvw.exe 67 PID 3036 wrote to memory of 2316 3036 mscorsvw.exe 67 PID 3036 wrote to memory of 2592 3036 mscorsvw.exe 68 PID 3036 wrote to memory of 2592 3036 mscorsvw.exe 68 PID 3036 wrote to memory of 2592 3036 mscorsvw.exe 68 PID 3036 wrote to memory of 2592 3036 mscorsvw.exe 68 PID 3036 wrote to memory of 1968 3036 mscorsvw.exe 69 PID 3036 wrote to memory of 1968 3036 mscorsvw.exe 69 PID 3036 wrote to memory of 1968 3036 mscorsvw.exe 69 PID 3036 wrote to memory of 1968 3036 mscorsvw.exe 69 PID 3036 wrote to memory of 2412 3036 mscorsvw.exe 70 PID 3036 wrote to memory of 2412 3036 mscorsvw.exe 70 PID 3036 wrote to memory of 2412 3036 mscorsvw.exe 70 PID 3036 wrote to memory of 2412 3036 mscorsvw.exe 70 PID 3036 wrote to memory of 1816 3036 mscorsvw.exe 71 PID 3036 wrote to memory of 1816 3036 mscorsvw.exe 71 PID 3036 wrote to memory of 1816 3036 mscorsvw.exe 71 PID 3036 wrote to memory of 1816 3036 mscorsvw.exe 71 PID 3036 wrote to memory of 3040 3036 mscorsvw.exe 72 PID 3036 wrote to memory of 3040 3036 mscorsvw.exe 72 PID 3036 wrote to memory of 3040 3036 mscorsvw.exe 72 PID 3036 wrote to memory of 3040 3036 mscorsvw.exe 72 PID 3036 wrote to memory of 1972 3036 mscorsvw.exe 73 PID 3036 wrote to memory of 1972 3036 mscorsvw.exe 73 PID 3036 wrote to memory of 1972 3036 mscorsvw.exe 73 PID 3036 wrote to memory of 1972 3036 mscorsvw.exe 73 PID 3036 wrote to memory of 1928 3036 mscorsvw.exe 74 PID 3036 wrote to memory of 1928 3036 mscorsvw.exe 74 PID 3036 wrote to memory of 1928 3036 mscorsvw.exe 74 PID 3036 wrote to memory of 1928 3036 mscorsvw.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe"C:\Users\Admin\AppData\Local\Temp\446785acd40da1ce9d8a65866c33558367f565a60bc99d1289f48f7947d2dd9a.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2212
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2632
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1f0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1e0 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 254 -NGENProcess 260 -Pipe 1dc -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 240 -Pipe 184 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 254 -Pipe 1f8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 264 -NGENProcess 1e0 -Pipe 23c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 240 -Pipe 258 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 260 -NGENProcess 1ac -Pipe 250 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 24c -Pipe 26c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 1ac -Pipe 278 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"2⤵PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 270 -NGENProcess 240 -Pipe 260 -Comment "NGen Worker Process"2⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"2⤵PID:400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 290 -Pipe 248 -Comment "NGen Worker Process"2⤵PID:2664
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1c4 -NGENProcess 1c8 -Pipe 1d4 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:824
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 240 -NGENProcess 248 -Pipe 1d0 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:1940
-
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2864
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:616
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
PID:956
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1080
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
PID:1804
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2016
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3024
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2188
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2964
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2416
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1664
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1488
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1860
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:868
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2180306848-1874213455-4093218721-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2180306848-1874213455-4093218721-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵PID:2980
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58c4a27cfd1e70410c9580b1f2e4b0efa
SHA1ea5d3cffa75718e53ac41771ba9e2d7fe134cbc1
SHA2563a647c697412125f11580663e35ae0be5f59793bb1d85279ff1f021962864ab6
SHA51222665ca53007ee1841ff16742da5a527410ae7332cfb7695feaca6e4e1413062b58f36d9205c8135d284478dcb61634ad084a6e3ab6320b67baa93f921fefd80
-
Filesize
30.1MB
MD54923611aa8fdf65c623ca7690815eb66
SHA1f67cdb1ce340450145fedc57182677534c564577
SHA25682b8088fe0fa1b7bfe29341f49b74da46e4a2ce36a0854a0ac77eab94af0db7e
SHA5122469005c5220b5f7317111fd6983fee699fa964ef8ad55c3f7c87a2e03d5d33f31d9165a080307b1d2b7fab2a5ca32225cba3cc83c3358bddb0107dd46e5432a
-
Filesize
1.4MB
MD57606228aa22d8a5397c093f7c0651a6b
SHA1907399d895628152d98ccd6acdcf78133b5d7538
SHA2562ef7b3ec662a96e4c1e7e335bba4c81214eb42bed44d7ccf0344d68f3887f407
SHA512d0582c1bbb2286fbb686695d9cfe0f4c08fac1cf37a9145eff88ee93d4e7bd4c3664ba74156834eef6c22cf8e4efba99fe072e72f45f9d80c6bcc5add5525dfb
-
Filesize
5.2MB
MD573a7850a5871141ff2d9271579ffa5fb
SHA1bf87520f3cf4780df3b338e132417d52d4debb66
SHA25614ef47891bfb60fdb7252aa8513c3cc667df8f56b39d72e6dd6e64c7a76560ba
SHA512277f70fed171d74e38b93ef5b491072c3480bd73e6eee9bbde85b824d09fa54d6b01356fa7241b2cf918874079e31e57bfb4bb38d0438ff7c43aa291f6be3c7f
-
Filesize
2.1MB
MD5f23836392d5b3630ad180b0d72ac2fbd
SHA1ec7a208cade8c8201c9abdff2997a0e3e52a3698
SHA256e10d0371016416d13cd331a1d3add1544ef221652f2db1498df466747e784358
SHA512190278abd45e2b4b67d101f8bbf8bb06d9fc09d495c62245d1616102bbe971089e73dad6ce2743dea46614a20116861659726cf657623024d44174a8b02bb772
-
Filesize
2.0MB
MD5c848d15e4670589095a2eae763c8a23b
SHA1f65b279b636449765318516f1854ab504867495e
SHA2565790c2b1812f52b8ebefb256f5c4b33c69c6f7902f6cdacb7794051f833a8e39
SHA512ffdadc6bdebba2801d355a6ae6bc77a4f3443fbcf6f4ff6fad49256fc4800e9e97ad32b00fb8f4ef2f1204e79afaaf6423bb7833085d0c1b111299b029497335
-
Filesize
1024KB
MD5f108c6cf586502ed0679e499a203ae86
SHA1c50896a7b2273cc0fa7c9a9cd86719a50d767863
SHA256f812e3fc91e22e82e5e7982c4fca81f54cd3ac74f83ef10aafd59015305c3dd5
SHA512e2963496dc4494b4922a45133fef9ab7e70f40ccc8d52a49721699548dc0aa5aa92a519185cc5f641f61713fe780b9d6cb6f1cd609c6445cbf41cf8d7c309df5
-
Filesize
1.3MB
MD5a6fca21d1b1004cf1f0621ad5184d993
SHA1c3e510ec1b43c651bc2a24f1bafcb9e1ce40fca9
SHA256f491880e9a33251f45968449f8c9fdefe87b39292cd7552ea6d30e8fcc2f232d
SHA512a2055838c9d4c7505d9b1fdc16cb286f98c16b0f894c36b8cf24d0bb96fcb7cd3184ad2b64e5fcf0bd60418b03e8e1b635bc4f8cab5a80136dea2b882395a264
-
Filesize
1.3MB
MD5a6fca21d1b1004cf1f0621ad5184d993
SHA1c3e510ec1b43c651bc2a24f1bafcb9e1ce40fca9
SHA256f491880e9a33251f45968449f8c9fdefe87b39292cd7552ea6d30e8fcc2f232d
SHA512a2055838c9d4c7505d9b1fdc16cb286f98c16b0f894c36b8cf24d0bb96fcb7cd3184ad2b64e5fcf0bd60418b03e8e1b635bc4f8cab5a80136dea2b882395a264
-
Filesize
872KB
MD5f2000c35d74a9c0c8362672bb851b711
SHA1673c6186bf4c4efc768294193ee1dc2b3435d368
SHA256527d5a2f1ec6397d8543958c89dcab621d2bff1d780a60e41d94915d04905f90
SHA512442db70f28a65e6d4f3d93f7a1f20e8cc0619d8d52902fbb7c9366eef12456a0c116a8885ff898855121f6daa30ba6d168b0da63e3ef91fe23952df5db807605
-
Filesize
1.2MB
MD57192ec15fc69c8e668d0a0b496ab3dd2
SHA1adfd1426c35a7fe7c336e022213aca5b26f5a3e4
SHA256cec552c672e1cf8a117a64538662c48c7ca6e48c3edab53445ecb33fedfb04cd
SHA512e0613e78f6689864a4b5ce0af313b974cc74c156e514e878f33be261d257a8a2ad54ba04a89764aa7302ad547dcc5e55d9355f9042af5a06a0bf3935b3ebeb9e
-
Filesize
1.3MB
MD5bc0e4b80f790a1b855ae34dad91a8310
SHA1c7a4dc4a83219da3984bac009927687a6457d260
SHA256cbc0df785771d353681670fd3b28ca92b3b7d4649b6c3ac975ebffe4e993536e
SHA5123005e84a963f2440fe16d1252f6419f806a2a3acae2e0fc4b0062219aba38f88810c3843c309f964da8de8aab96b3eef89917d1c2baef2ed3a543d03e4877b80
-
Filesize
1.3MB
MD5bc0e4b80f790a1b855ae34dad91a8310
SHA1c7a4dc4a83219da3984bac009927687a6457d260
SHA256cbc0df785771d353681670fd3b28ca92b3b7d4649b6c3ac975ebffe4e993536e
SHA5123005e84a963f2440fe16d1252f6419f806a2a3acae2e0fc4b0062219aba38f88810c3843c309f964da8de8aab96b3eef89917d1c2baef2ed3a543d03e4877b80
-
Filesize
1.3MB
MD5bc0e4b80f790a1b855ae34dad91a8310
SHA1c7a4dc4a83219da3984bac009927687a6457d260
SHA256cbc0df785771d353681670fd3b28ca92b3b7d4649b6c3ac975ebffe4e993536e
SHA5123005e84a963f2440fe16d1252f6419f806a2a3acae2e0fc4b0062219aba38f88810c3843c309f964da8de8aab96b3eef89917d1c2baef2ed3a543d03e4877b80
-
Filesize
1.3MB
MD5bc0e4b80f790a1b855ae34dad91a8310
SHA1c7a4dc4a83219da3984bac009927687a6457d260
SHA256cbc0df785771d353681670fd3b28ca92b3b7d4649b6c3ac975ebffe4e993536e
SHA5123005e84a963f2440fe16d1252f6419f806a2a3acae2e0fc4b0062219aba38f88810c3843c309f964da8de8aab96b3eef89917d1c2baef2ed3a543d03e4877b80
-
Filesize
1.2MB
MD581690fe5ac36708bbe140801c07197ea
SHA156341cbb8b8ae82ea1c89c0b15f1a781671c6a21
SHA25610f93a60db29257883038887808396a90c8b7ea43ce9fc0acc593adbea44f525
SHA512a0f4bb07d1c012cb730ad294a41672485b5cb24f82ab4d23e1cd3accd8dd8845bd564b5228b97947c5fb03e3b71b460d64003c6a377946a21a8ac290130ce4c2
-
Filesize
1.2MB
MD581690fe5ac36708bbe140801c07197ea
SHA156341cbb8b8ae82ea1c89c0b15f1a781671c6a21
SHA25610f93a60db29257883038887808396a90c8b7ea43ce9fc0acc593adbea44f525
SHA512a0f4bb07d1c012cb730ad294a41672485b5cb24f82ab4d23e1cd3accd8dd8845bd564b5228b97947c5fb03e3b71b460d64003c6a377946a21a8ac290130ce4c2
-
Filesize
1003KB
MD56686c94300d6ef54b18b01d0c7329b04
SHA1881cb4207b97c45478373005ca202111f449681c
SHA25649427a8acf64e8bd44c668388d6045b6483343574a894740586b82968f15ab36
SHA512d4b551b41682f4b0f45e933b8d253e1ad07192bdfe3618313553da19b28e1588331f2cf874593dcee55b1288d4b2e12c4be99b262041e6e01a09a00a4479274d
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.3MB
MD56ff5c8f2fd202221e5f05f684eedea21
SHA186082a231f0c9a7ee17a86cc97a0b18f31a93b81
SHA25673d8e936932e4ccb0583f1fd94918053a850b550e08dc3df4c165dece50d4331
SHA5129f9bd068288d2d026cd0cbfb090ad454983088d55ad4373883d2caa3b4c7e4f235404c6a8dc4aa7124c4636bcc6ac74e066c23f84f7b900837facfdc9a003bd6
-
Filesize
1.2MB
MD528f06dd4f589338f0a8c725aac0c0424
SHA142eeaef63f6c9c6c296542b37e49049d99fcdbd7
SHA25629b776886714398d74ea34eb27ae24cdaa0ada1c9e8a966f79b4c053b789399d
SHA512d74d75a603975d1505e6e515766b02814ee9729295b11706b952f9dc87ff1ba078213015ecaa6f59b772a15bf0b90e237c826807e662139bd628783c5c7f7c13
-
Filesize
1.2MB
MD53c68f9141c376b7e4b326013c089c562
SHA1353421ddd2a0a2ac47dd860cc14caceb5d732d90
SHA256ba4097e18028e9902f5bd0a936639949d5a05b3cd4c1a8b7565082766b2c0944
SHA5122fa7ed07651d762242df23061353e6370b93e543e8db16cd3e72021b1c0e634e36823ca0d5741f64bbf603c76b84066d9e9ea3f01351bf25e6d2feaa25744f50
-
Filesize
1.1MB
MD527e6e696bc7c4625641f4cc4bc662e08
SHA12c8387321220b77484614f2d4a32d0e15afbe79e
SHA2561ce18395c731212979fdbf6ac69f424543003f07d5fe8696c88a8bc523736f4e
SHA5123fdac3cdc59836dcb71751544be23ef863e239f08ff39a2d921575275376b4a31c6746fe85af050c1afd9d93b3ecdfd0f0f39a1837f23acd300c5d9d0279f9e9
-
Filesize
2.1MB
MD5174d83e9c369ebeb5456bf65ef8543af
SHA1291e9d8761ad6544fd75a798240ffc3c382b0951
SHA256f37ca71ea8fb1a5138fce15ff3b9a3ea2601e67ad26708706dbcfa7acf57686c
SHA512837e8417b5dc6479434809891931354231679d2698ed96da116e1f797a22063d28bf0d992c56e46fe863e9b5b40a1e4089cca0eca54517931f03a604f38ca090
-
Filesize
1.3MB
MD5d9a686d5758c36f2b43d54237b1ef238
SHA1dcf9637be4edb958db6c18e80464cc0497f96965
SHA256b6caf2684a437ffe8cb415872f8bc2095a0ebebe3bf205ab18cf15d61ef89ca9
SHA5126bd4e6b8944e1b7fe53237e8793f97165ca44f7c805658c26463d7d829dfaa39f61287aec1783f7b6347a5d65a22aa678387da50b4aa7374d7fff928a295373d
-
Filesize
1.2MB
MD58e67ef6eea1b4920bd97e4ceb1a6283b
SHA1ea60c23f9435f1d901affe65a24000e2114049fe
SHA256f40fec6c3dbc6da85337faea6b8fef97980d8cfb9eaeac61998ffdc2888cf9cd
SHA512302a859f29c42c207c7c4dacaeceff933ef684875d9454641c341c88a0266b8692aa2714c7e88405c3ea89b83265169c69bcf5d5bb336d48d8163607b08ebc1d
-
Filesize
1.3MB
MD520f3b6614ae8d6851fccd982ca024c9e
SHA152044afc4f4bb391251be50888a243ed0bce0c8f
SHA25622a332dd205c3125697f0e9c84780c1a36dd1fb2083d1493facda3df26e2eb35
SHA5120ed1f034cd3806968a9b88eca17c2c15c8979c25a06cb36d58d1aecf38312a91cd0e0c57fb84632f36c5ea7dbcbf734b674ea920974cf90ae2908c056ce8d87e
-
Filesize
1.3MB
MD506a38c34ae06b6cbcecf461e602e45b0
SHA1c00c54c742338c20816257e1c3660dea2c482dce
SHA25652dd9e015abcdb6e676e74743aa5b8b3e34fd11f2df567ea114aed86d3898455
SHA5122671fe72a6e75d4abb2014e534299bf5569b7952f45e76dc92e33b757f44fdc4a35a6bd71eff0317bdb121d07a005e93cf3a8f29f6fe095243c55304595684f8
-
Filesize
1.3MB
MD5746490696d5b3437ad5f64d5f1c0a613
SHA1018241de6d6a9eab8262f6e41634575da846311c
SHA2566ba13b421c857bd87320f92e5ce46a421cffbe7a23a9b316e3826d89c734948a
SHA5122e45508a437d6f70db6ef53f37a58a5b28f3f705fd95a0a1d10201b7787536388da310e6c2646e4b09bd21f5124029885ef6b5954fddc48c9c6a76d096d169fe
-
Filesize
1.2MB
MD55fb325799bf6f0b9f383cc01caa38a6f
SHA13245da136ff555ba5d50faaee75f224123f085d7
SHA256069b9bbc9c3e411d7e51234e2d75378ca5f4375dee41e39c55eb9fc83e27a716
SHA5129881da4343813d95fb7117c162ad11614fe1b607d8e0b7aadefaae1bcdd65e6b850760591fe79aed2fe08bdfd402d42203486022a1ef78fe12fd93f5b8d85448
-
Filesize
1.7MB
MD547c0027b37f6ba6d2013357d49337088
SHA124f4f192d1ceaa0bf30ceec459fb9842c466d020
SHA256ff5e3c535b772e3914c50b6ea07310ad3b27a0f93e3f7e5f0c084afa8a63d76f
SHA5120f053062632093716af6d16eeb047efbc1e440f699c818b92b2c03f0c177a2dbb6a8a384de56e9682ae45482c0a009dbe310e9ca28d12fe38abd7d767756fc7d
-
Filesize
1.4MB
MD5c0974f5ddf4afa07416114a83e214f28
SHA1edaec099017e0c43627e74296148644fc26e8528
SHA25693348ad0683ea80e6df1725a899dd56066f0ead748cd24991953043fc2738b97
SHA51274e979a21826dd063503a1609e0c4ce6860cd163689cc5866a528925bf3420d0dff543127229c90a2af900e568971af54e190f0dee47fd051c59f44fc0e8658a
-
Filesize
2.0MB
MD5ea41c61ea5c7650c17aa49c43fdfea1b
SHA116a614ec890870a9fa11441f0cdc7ae0aa341554
SHA2568f6863bd01f8135bc60033e5c5c0033ce5c60cf346d4eeda270f3ec58b654ab2
SHA512869e1a00a88f0bbd7809e448ddc80f088ae421ed06daa8d7a99a7f3c3a0fbc1957c2e0595ca1e214383870087dcd24ea7f3b9fd414f5ddfdb52010b4b87690c1
-
Filesize
1.2MB
MD568587b845be4e48faa66b8ceb534fd60
SHA1d8d21e4f4617b540353e6bf66303c78122374921
SHA25637781a751891dbedaff94c859169f362b997924d12818ee03c5004c8755bee5b
SHA5120c2a2a3c11224791bdeea6f7e9850e2e2d596db6c45190ac539f3bc01c39119bdf4d5f584af9f4b12d025b3b86e5385917550bbde0bf41be9d08ea1f22de3531
-
Filesize
1.3MB
MD5eb0bf3ac3de64b9d2ac42adca22e469c
SHA1a0e61a7058c456fd916b34c7bf732a7abf1b98f8
SHA25620876178618da8911dc2691c0b4b18896e6e0403100fed620a717d183de90dc5
SHA5126add0de30c86172c32cdb0e58faae1b33439978926e3b9824159f8f320be76620324a5df1288d9f043b53fa1c505bd076620e1ac976a1cc35c5a0573af4e868c
-
Filesize
1.3MB
MD5746490696d5b3437ad5f64d5f1c0a613
SHA1018241de6d6a9eab8262f6e41634575da846311c
SHA2566ba13b421c857bd87320f92e5ce46a421cffbe7a23a9b316e3826d89c734948a
SHA5122e45508a437d6f70db6ef53f37a58a5b28f3f705fd95a0a1d10201b7787536388da310e6c2646e4b09bd21f5124029885ef6b5954fddc48c9c6a76d096d169fe
-
Filesize
2.0MB
MD5c848d15e4670589095a2eae763c8a23b
SHA1f65b279b636449765318516f1854ab504867495e
SHA2565790c2b1812f52b8ebefb256f5c4b33c69c6f7902f6cdacb7794051f833a8e39
SHA512ffdadc6bdebba2801d355a6ae6bc77a4f3443fbcf6f4ff6fad49256fc4800e9e97ad32b00fb8f4ef2f1204e79afaaf6423bb7833085d0c1b111299b029497335
-
Filesize
2.0MB
MD5c848d15e4670589095a2eae763c8a23b
SHA1f65b279b636449765318516f1854ab504867495e
SHA2565790c2b1812f52b8ebefb256f5c4b33c69c6f7902f6cdacb7794051f833a8e39
SHA512ffdadc6bdebba2801d355a6ae6bc77a4f3443fbcf6f4ff6fad49256fc4800e9e97ad32b00fb8f4ef2f1204e79afaaf6423bb7833085d0c1b111299b029497335
-
Filesize
1.3MB
MD5a6fca21d1b1004cf1f0621ad5184d993
SHA1c3e510ec1b43c651bc2a24f1bafcb9e1ce40fca9
SHA256f491880e9a33251f45968449f8c9fdefe87b39292cd7552ea6d30e8fcc2f232d
SHA512a2055838c9d4c7505d9b1fdc16cb286f98c16b0f894c36b8cf24d0bb96fcb7cd3184ad2b64e5fcf0bd60418b03e8e1b635bc4f8cab5a80136dea2b882395a264
-
Filesize
1.2MB
MD57192ec15fc69c8e668d0a0b496ab3dd2
SHA1adfd1426c35a7fe7c336e022213aca5b26f5a3e4
SHA256cec552c672e1cf8a117a64538662c48c7ca6e48c3edab53445ecb33fedfb04cd
SHA512e0613e78f6689864a4b5ce0af313b974cc74c156e514e878f33be261d257a8a2ad54ba04a89764aa7302ad547dcc5e55d9355f9042af5a06a0bf3935b3ebeb9e
-
Filesize
1.2MB
MD53c68f9141c376b7e4b326013c089c562
SHA1353421ddd2a0a2ac47dd860cc14caceb5d732d90
SHA256ba4097e18028e9902f5bd0a936639949d5a05b3cd4c1a8b7565082766b2c0944
SHA5122fa7ed07651d762242df23061353e6370b93e543e8db16cd3e72021b1c0e634e36823ca0d5741f64bbf603c76b84066d9e9ea3f01351bf25e6d2feaa25744f50
-
Filesize
1.3MB
MD5d9a686d5758c36f2b43d54237b1ef238
SHA1dcf9637be4edb958db6c18e80464cc0497f96965
SHA256b6caf2684a437ffe8cb415872f8bc2095a0ebebe3bf205ab18cf15d61ef89ca9
SHA5126bd4e6b8944e1b7fe53237e8793f97165ca44f7c805658c26463d7d829dfaa39f61287aec1783f7b6347a5d65a22aa678387da50b4aa7374d7fff928a295373d
-
Filesize
1.2MB
MD58e67ef6eea1b4920bd97e4ceb1a6283b
SHA1ea60c23f9435f1d901affe65a24000e2114049fe
SHA256f40fec6c3dbc6da85337faea6b8fef97980d8cfb9eaeac61998ffdc2888cf9cd
SHA512302a859f29c42c207c7c4dacaeceff933ef684875d9454641c341c88a0266b8692aa2714c7e88405c3ea89b83265169c69bcf5d5bb336d48d8163607b08ebc1d
-
Filesize
1.3MB
MD520f3b6614ae8d6851fccd982ca024c9e
SHA152044afc4f4bb391251be50888a243ed0bce0c8f
SHA25622a332dd205c3125697f0e9c84780c1a36dd1fb2083d1493facda3df26e2eb35
SHA5120ed1f034cd3806968a9b88eca17c2c15c8979c25a06cb36d58d1aecf38312a91cd0e0c57fb84632f36c5ea7dbcbf734b674ea920974cf90ae2908c056ce8d87e
-
Filesize
1.3MB
MD506a38c34ae06b6cbcecf461e602e45b0
SHA1c00c54c742338c20816257e1c3660dea2c482dce
SHA25652dd9e015abcdb6e676e74743aa5b8b3e34fd11f2df567ea114aed86d3898455
SHA5122671fe72a6e75d4abb2014e534299bf5569b7952f45e76dc92e33b757f44fdc4a35a6bd71eff0317bdb121d07a005e93cf3a8f29f6fe095243c55304595684f8
-
Filesize
1.3MB
MD5746490696d5b3437ad5f64d5f1c0a613
SHA1018241de6d6a9eab8262f6e41634575da846311c
SHA2566ba13b421c857bd87320f92e5ce46a421cffbe7a23a9b316e3826d89c734948a
SHA5122e45508a437d6f70db6ef53f37a58a5b28f3f705fd95a0a1d10201b7787536388da310e6c2646e4b09bd21f5124029885ef6b5954fddc48c9c6a76d096d169fe
-
Filesize
1.3MB
MD5746490696d5b3437ad5f64d5f1c0a613
SHA1018241de6d6a9eab8262f6e41634575da846311c
SHA2566ba13b421c857bd87320f92e5ce46a421cffbe7a23a9b316e3826d89c734948a
SHA5122e45508a437d6f70db6ef53f37a58a5b28f3f705fd95a0a1d10201b7787536388da310e6c2646e4b09bd21f5124029885ef6b5954fddc48c9c6a76d096d169fe
-
Filesize
1.2MB
MD55fb325799bf6f0b9f383cc01caa38a6f
SHA13245da136ff555ba5d50faaee75f224123f085d7
SHA256069b9bbc9c3e411d7e51234e2d75378ca5f4375dee41e39c55eb9fc83e27a716
SHA5129881da4343813d95fb7117c162ad11614fe1b607d8e0b7aadefaae1bcdd65e6b850760591fe79aed2fe08bdfd402d42203486022a1ef78fe12fd93f5b8d85448
-
Filesize
1.4MB
MD5c0974f5ddf4afa07416114a83e214f28
SHA1edaec099017e0c43627e74296148644fc26e8528
SHA25693348ad0683ea80e6df1725a899dd56066f0ead748cd24991953043fc2738b97
SHA51274e979a21826dd063503a1609e0c4ce6860cd163689cc5866a528925bf3420d0dff543127229c90a2af900e568971af54e190f0dee47fd051c59f44fc0e8658a
-
Filesize
2.0MB
MD5ea41c61ea5c7650c17aa49c43fdfea1b
SHA116a614ec890870a9fa11441f0cdc7ae0aa341554
SHA2568f6863bd01f8135bc60033e5c5c0033ce5c60cf346d4eeda270f3ec58b654ab2
SHA512869e1a00a88f0bbd7809e448ddc80f088ae421ed06daa8d7a99a7f3c3a0fbc1957c2e0595ca1e214383870087dcd24ea7f3b9fd414f5ddfdb52010b4b87690c1
-
Filesize
1.2MB
MD568587b845be4e48faa66b8ceb534fd60
SHA1d8d21e4f4617b540353e6bf66303c78122374921
SHA25637781a751891dbedaff94c859169f362b997924d12818ee03c5004c8755bee5b
SHA5120c2a2a3c11224791bdeea6f7e9850e2e2d596db6c45190ac539f3bc01c39119bdf4d5f584af9f4b12d025b3b86e5385917550bbde0bf41be9d08ea1f22de3531
-
Filesize
1.3MB
MD5eb0bf3ac3de64b9d2ac42adca22e469c
SHA1a0e61a7058c456fd916b34c7bf732a7abf1b98f8
SHA25620876178618da8911dc2691c0b4b18896e6e0403100fed620a717d183de90dc5
SHA5126add0de30c86172c32cdb0e58faae1b33439978926e3b9824159f8f320be76620324a5df1288d9f043b53fa1c505bd076620e1ac976a1cc35c5a0573af4e868c